public static function logOutUser() { $_SESSION['user']['username'] = ""; unset($_SESSION); session_destroy(); Redirect::phpRedirect("start"); }
public static function login($username, $password) { /* We load the $dbConn variable as global to use it inside the function. */ global $dbConn; /* * We first need to sanitize the variables we got in order to avoid * SQL injection attacks from malicious users. */ $username = $dbConn->real_escape_string($username); $password = $dbConn->real_escape_string($password); /* * We need to get the user's salt based on his username in order to * continue with his password authentication. */ $result = $dbConn->query("SELECT * FROM `accounts` WHERE `username`='{$username}';"); $salt = ""; $storedHash = ""; /* We get the salt and the stored hash. */ if ($result) { /* We ensure that the username exists. */ if ($result->num_rows > 0) { $row = $result->fetch_array(); $salt = $row["salt"]; $storedHash = $row["password"]; } else { /* If the username does not exist we display a general * error about invalid credentials and we exit because * its a potential security risk to disclose more * information about the nature of the error. */ new Message(12); return; } } /* We must now replicate the process we used at registration and * create the hashed password in order to match it with the one * used in the registration. */ $hashedPassword = hash("sha256", $salt . $password . $salt); /* We now need to compare the storedHash with the one he entered * (the user) as a password in order to login. If they match it's * the correct user (or someone who knows his credentials). */ if ($hashedPassword != $storedHash) { new Message(12); return; } /* We log the user in so the system knows who he is and that he is online. */ User::logInUser($username); /* We redirect him to his wallet dashboard. */ Redirect::phpRedirect("wallet"); }
<?php include 'app/includes/header.php'; /* We first check if the user is logged in, before we show him tha page. * Users who are not logged in are redirected back to the login page. */ if (!User::isLoggedIn()) { Redirect::phpRedirect("start"); } /* Check if the user has made a logout request. */ if (isset($_GET['logout'])) { User::logOutUser(); } ?> <div class="top-container"> <div class="row"> <div class="large-10 large-centered columns"> <img src="content/img/bow-small.png" class="logo"/> <span class="user-logout"> Welcome <span data-tooltip aria-haspopup="true" class="has-tip" title="Last login at <?php echo $_SESSION['user']['lastLogin'] . ' from ' . $_SESSION['user']['lastIP']; ?> "> <?php echo $_SESSION['user']['username']; ?> </span> <a class="logout" href="wallet?logout">Log out <i class="fa fa-sign-out"></i></a> </span>
<label id="eLbl">Email address</label> <input type="email" name="email" id="eTxt"/> <!-- <label class="chklbl"><input type="checkbox" name="chkSaveUsername"><span class="label-text">Remember Username</span></label> --> <input type="submit" id="loginBtn" value="Login"> <a href="#" id="sign-up">Sign up for an account</a> <a href="#" id="sign-in">Sign in with an account</a> <?php /* Check if the user is already logged in and if he is * redirect him to his wallet panel. */ if (User::isLoggedIn()) { Redirect::phpRedirect("wallet"); } /* Check if the user has submitted the form. */ if (isset($_POST) && !empty($_POST)) { /* We get the forms' submitted data. */ $formType = $_POST['formType']; $username = $_POST['username']; $password = $_POST['password']; $repeat = $_POST['repeat']; $email = $_POST['email']; /* We check to see if the user wanted to login or register. */ if ($formType == "login") { Account::login($username, $password); } else { if ($formType == "register") { Account::create($username, $password, $repeat, $email);